[MAD-METASPLOIT] 0x12 - Vulnerability Scanning
Vulnerability Scanning
auxiliary/scanner/vnc/vnc_login normal VNC Authentication Scanner auxiliary/scanner/vnc/vnc_none_auth normal VNC Authentication None Detection
HAHWUL exploit(handler) > db_nmap -PN 192.168.56.101 [] Nmap: Starting Nmap 7.01 ( https://nmap.org ) at 2017-08-07 15:04 KST [] Nmap: Stats: 0:00:19 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan [] Nmap: SYN Stealth Scan Timing: About 99.99% done; ETC: 15:04 (0:00:00 remaining) [] Nmap: Nmap scan report for 192.168.56.101 [] Nmap: Host is up (0.00066s latency). [] Nmap: Not shown: 985 closed ports [] Nmap: PORT STATE SERVICE [] Nmap: 135/tcp open msrpc [] Nmap: 139/tcp open netbios-ssn [] Nmap: 445/tcp open microsoft-ds [] Nmap: 554/tcp open rtsp [] Nmap: 2869/tcp open icslap [] Nmap: 5357/tcp open wsdapi [] Nmap: 5500/tcp open hotline [] Nmap: 5800/tcp open vnc-http [] Nmap: 5900/tcp open vnc
HAHWUL exploit(handler) > search vnc
Matching Modules
Name Disclosure Date Rank Description —- ————— —- ———– auxiliary/admin/vnc/realvnc_41_bypass 2006-05-15 normal RealVNC NULL Authentication Mode Bypass auxiliary/scanner/vnc/vnc_login normal VNC Authentication Scanner auxiliary/scanner/vnc/vnc_none_auth normal VNC Authentication None Detection auxiliary/server/capture/vnc normal Authentication Capture: VNC exploit/multi/misc/legend_bot_exec 2015-04-27 excellent Legend Perl IRC Bot Remote Code Execution exploit/multi/vnc/vnc_keyboard_exec
WMAP을 이용한 Web service 취약점 스캔
먼저 WMAP 사용을 위헤 plugin을 로드합니다.
HAHWUL > load wmap
.-.-.-..-.-.-..—..—.
| | | || | | || | || |-‘
-----'-‘-‘-‘-^-'-‘
[WMAP 1.5.1] === et [ ] metasploit.com 2012
[*] Successfully loaded plugin: wmap
HAHWUL > help wmap
wmap Commands
Command Description
------- -----------
wmap_modules Manage wmap modules
wmap_nodes Manage nodes
wmap_run Test targets
wmap_sites Manage sites
wmap_targets Manage targets
wmap_vulns Display web vulns
먼저 wmap_sites 로 대상 사이트 지정합니다.
wmap_sites -a (vhost,url)
HAHWUL > wmap_sites -a 172.217.27.78,google.com [*] Site created.
HAHWUL > wmap_sites -l [*] Available sites ===============
Id Host Vhost Port Proto # Pages # Forms
-- ---- ----- ---- ----- ------- -------
0 172.217.25.206 172.217.27.78 80 http 0 0
1 175.158.2.152 175.158.2.152 443 https 0 0
두번째론 wmap_targets 으로 실제 테스트가 진행되는 타겟을 지정합니다.
HAHWUL > wmap_targets -t 127.0.0.1
or
HAHWUL > wmap_targets -d 0 [] Loading 172.217.27.78,http://172.217.25.206:80/. HAHWUL > wmap_targets -l [] Defined targets ===============
Id Vhost Host Port SSL Path
-- ----- ---- ---- --- ----
0 172.217.27.78 172.217.25.206 80 false /
세팅이 다 되었으면.. run!
HAHWUL > wmap_run -e [] Using ALL wmap enabled modules. [-] NO WMAP NODES DEFINED. Executing local modules [] Testing target: [] Site: 172.217.27.78 (172.217.25.206) [] Port: 80 SSL: false ============================================================ [] Testing started. 2017-08-07 11:33:59 +0900 [] Loading wmap modules… [….]
완료 후 vulns에도 저장되지만 wmap_vulns 로 따로 볼수도 있습니다.
HAHWUL > wmap_vulns -l